Information and communication technology systems

14.78 The capacity for Commonwealth officers to handle information effectively may depend upon the availability of suitable infrastructure—in particular, ICT systems. Commonwealth officers have identified the improvement of the capacity of ICT infrastructure to support information sharing—particularly secure or confidential information—as a key factor in improving their agency’s ability to collaborate with other agencies.[84]

Protecting Commonwealth information

14.79 ICT systems, such as access controls, can lessen the opportunity for inadvertent or deliberate non-compliance with information-handling guidelines and policies on the part of Commonwealth officers. Centrelink, for example, has implemented a ‘Deny Access Facility’ (DAF), which protects information about the location of certain high-risk clients. Only designated Centrelink officers are able to access DAF records. This limits the potential for the computer records of DAF clients to be accessed inappropriately by Centrelink staff, either inadvertently or by reason of a deliberate breach.[85] Other ICT systems, such as audit control mechanisms, may deter deliberate breaches by Commonwealth officers by facilitating the enforcement of secrecy obligations by Australian Government agencies.

14.80 In its 2009 Audit Report, Interim Phase of the Audit of Financial Statements of General Government Sector Agencies for the Year Ending 30 June 2009, the ANAO advised that information technology security controls implemented by Australian Government agencies had improved significantly over the preceding 12 months.[86] The ANAO advised that:

In 2007–08, almost a third of agencies did not have a current and management endorsed security governance structure in place. This year almost all agencies had established effective security governance controls.

Similarly, agencies have improved their network security procedures to provide authorised access and control of remote access information flows. The ANAO found this year that, in general, agencies have also improved their security awareness and training practices and procedures.[87]

14.81 There were some agencies, however, that still had significant security risks associated with their ICT systems.[88]

Sharing Commonwealth information

14.82 Effective ICT systems may also promote information-sharing by standardising information-handling practices that may otherwise be contentious or dependent on the exercise of individual discretion. By way of illustration, CrimTrac’s National Criminal Investigation DNA Database (NCIDD) provides police with access to what is effectively a national DNA database, with the capacity to conduct automated intra- and inter-jurisdictional DNA profile-matching. NCIDD has been designed to ensure that only links that comply with Commonwealth, state and territory legislative requirements are available for review. Access is user-based, with data security processes in place to manage and audit such access.[89]

14.83 In another context, the Secrecy and Disclosure Project, within the Serious Non Compliance branch of the ATO, is developing a streamlined system to manage the disclosure of protected tax information to law enforcement agencies and Project Wickenby partners.[90] This includes, for example, the creation of specific ‘information packages’, reflecting the information requested and its intended use; automatic reduction of sensitive material and watermarking where required; and secure, electronic dissemination of the approved information packages to the requesting agency.[91]

14.84 The use of ICT systems to foster whole of government activities and promote the principles of open government is receiving ongoing attention from the Australian Government. Several Australian Government-wide ICT strategies have been implemented to promote secure information sharing including FedLink, a whole of government encryption system, and GovDex, a web-based space for secure information sharing. Broader changes in the management of ICT at the Australian Government level are being considered in response to the recommendations of the Review of the Australian Government’s Use of Information and Communication Technology, led by Sir Peter Gershon (the Gershon review).

14.85 The report of the Gershon review was released in October 2008, and reported ‘ad hoc, reactive and siloed responses’ to ICT in Australian Government agencies,[92] which was hindering the ability of the Australian Government to ‘provide efficient and effective joined-up ICT-enabled services to citizens and businesses’.[93] The review made wide-ranging recommendations for reform, including the establishment of a ministerial council on ICT with responsibility for ICT policies and whole of government ICT[94] and a requirement for agencies to seek approval from the ministerial council to opt out of whole of government ICT arrangements.[95] In November 2008, the Australian Government endorsed the recommendations of the Gershon review in full and initiated the ICT Reform Program.[96]

14.86 Significant changes to the use of ICT systems to share information within and between agencies and, in particular, with members of the public are also likely to arise out of the recommendations of the Government 2.0 Taskforce, discussed in Chapter 2.

Submissions and consultations

14.87 In IP 34, the ALRC asked about the effectiveness of Australian Government ICT systems in protecting Commonwealth information.[97] Law enforcement agencies, in particular, highlighted the important role that ICT systems play in protecting official information. For example, AUSTRAC advised that it uses a ‘sophisticated and secure electronic system’ to collect, analyse and disseminate financial intelligence, including access controls that prevent a designated agency from accessing certain types of information without the appropriate authority; the capacity to audit an agency’s access to AUSTRAC information; and a secure international web-based system for the exchange of information overseas.[98] The Australian Federal Police noted that it has located reminders about secrecy requirements throughout its intranet where sensitive information is stored.[99]

14.88 Australian Government agencies in other areas also made submissions about how they use ICT systems to protect their information. The Australian Bureau of Statistics (ABS) noted that it tightly controls access to its ICT systems. ABS employees can only access those sensitive databases that they need in order to perform their duties, and the ABS conducts regular audits of access.[100] The AGD also advised that it had the capacity to ‘lock down’ information to certain persons on a need-to-know basis.[101]

14.89 In DP 74, the ALRC recognised the potential for ICT strategies to assist Commonwealth employees and others to comply with their obligations of secrecy and other information-handling responsibilities. The ALRC proposed that Australian Government agencies should implement ICT systems to facilitate the secure and convenient handling of Commonwealth information, including access controls and audit mechanisms.[102] The ALRC did not make a proposal about the use of ICT systems to promote information sharing.

14.90 Stakeholders that commented on this proposal were unanimously supportive.[103] The ATO, for example, advised that it has a strong information technology security culture, including a practice statement applicable to staff, contractors and service providers about the protection and security of the ATO’s ICT systems. The ATO further submitted that it regularly audits its ICT systems to ensure ongoing confidentiality, integrity and accessibility of its data.[104]

ALRC’s views

14.91 A diverse array of ICT strategies are used by Australian Government agencies to protect official information. Most commonly, these involve: (a) access controls to prevent employees and others from deliberately or inadvertently gaining access to unnecessary or sensitive information; and (b) audit mechanisms, to log who has gained access to particular files. Some agencies also employ ICT strategies to standardise information-sharing practices by their employees and, in this way, promote the sharing of information in appropriate circumstances.

14.92 The ALRC agrees that ICT strategies can assist Commonwealth employees and others to comply with their obligations of secrecy, and other information-handling, responsibilities. The ALRC recommends that Australian Government agencies should implement protective ICT systems—in particular, access controls and audit mechanisms.

14.93 The ALRC is not making a recommendation about the use of ICT systems to promote information sharing. This issue was comprehensively considered in the Gershon review, the recommendations of which the Australian Government is in the process of implementing. These issues will receive further attention by the Government 2.0 Taskforce.[105]

Recommendation 14–5 Australian Government agencies should put in place and maintain information and communication technology systems to facilitate the secure and convenient handling of Commonwealth information, including access controls and audit mechanisms.

[84] Australian Public Service Commission, State of the Service Report 2006–07 (2007), 241.

[85] Australian Government Child Support Agency and Centrelink, Protocol Governing the Disclosure of Information Between the Child Support Agency and Centrelink 1 October 2006–30 September 2008, 4.

[86] Australian National Audit Office, Interim Phase of the Audit of Financial (2009), 67.

[87] Ibid, 67–68.

[88] Ibid, 200–201.

[89] CrimTrac, Annual Report 2006–07 (2007), 18–21.

[90] Project Wickenby is a multi-agency taskforce led by the ATO to investigate tax avoidance, tax evasion and large-scale money laundering.

[91] D Boucher, Report of a Review of Information Handling Practices in the Serious Non Compliance Business Line of the Australian Taxation Office (2008), [119].

[92] P Gershon, Review of the Australian Government’s Use of Information and Communication Technology (2008), [4.1].

[93] Ibid, [4.1].

[94] Ibid, [5.1.1].

[95] Ibid, [5.1.3].

[96] Department of Finance and Deregulation, Review of the Australian Government’s Use of Information and Communication Technology (2009) <www.finance.gov.au/publications/ICT-Review/index.html> at 20 November 2009.

[97] Australian Law Reform Commission, Review of Secrecy Laws, Issues Paper 34 (2008), Question 6–3(c).

[98] Australian Transaction Reports and Analysis Centre, Submission SR 31, 2 March 2009.

[99] Australian Federal Police, Submission SR 33, 3 March 2009.

[100] Australian Bureau of Statistics, Submission SR 28, 24 March 2009.

[101] Attorney-General’s Department, Submission SR 36, 6 March 2009.

[102] Australian Law Reform Commission, Review of Secrecy Laws, Discussion Paper 74 (2009), Proposal
15–6.

[103] Department of Human Services, Submission SR 83, 8 September 2009; Department of Health and Ageing, Submission SR 81, 28 August 2009; R Fraser, Submission SR 78, 21 August 2009; Indigenous Business Australia, Submission SR 64, 13 August 2009; Australian Taxation Office, Submission SR 55, 7 August 2009.

[104] Australian Taxation Office, Submission SR 55, 7 August 2009.

[105] Government 2.0 Taskforce, Towards Government 2.0: An Issues Paper (2009).